Thread: SoftICE crashing on Windows 2003
View Single Post
  #9  
Old 04-30-2006, 06:05
deroko's Avatar
deroko deroko is offline
cr4zyserb
  
Join Date: Nov 2005
Posts: 217
Rept. Given: 13
Rept. Rcvd 30 Times in 14 Posts
Thanks Given: 7
Thanks Rcvd at 33 Times in 16 Posts
deroko Reputation: 30
gdt from softice
Code:
:gdt
...
0030  Data32    FFDFF000  00001FFF  0    P   RW <--- KPCR
003B  Data32    7FFDE000  00000FFF  3    P   RW <--- TEB
so to read address of fs:[124h] you should type

dd FFDFF000+124

when you get address you might wanna play with it a little bit with:

dt nt!_ETHREAD <address> and so on, to explore state of some interesting structures of system. I don't know if something changed on win2k3 but you can always use wARK to get gdt and you will get address of fs without a problem As I said maybe they have changed something in internal structures so maybe fs:[124] doesn't point to CurentThread, to be sure you should explore strucutres with:

dt nt!_structure (eg. dt nt!_KPCR, dt nt!_KPRCB etc...)

Regards
__________________
http://accessroot.com
Last edited by deroko; 04-30-2006 at 06:22.
Reply With Quote